Add daily Trivy scan of fleetdm/fleet built from main#47518
Open
lukeheath wants to merge 3 commits into
Open
Conversation
Sibling to check-vulnerabilities-in-released-docker-images.yml, which only scans the most recent 5 shipped releases. That left a 1-3 week blind spot between an Alpine base image bump landing on main and the next minor cut, during which new OS-package CVEs (e.g. CVE-2026-34182 in openssl 3.5.6-r0) go undetected by in-repo CI. Builds the fleet image from the current main-branch Dockerfile with a placeholder fleet binary, runs Trivy with --pkg-types=os against it, and posts to the same Slack webhook on failure.
lukeheath
requested review from
georgekarrv,
getvictor,
lucasmrod and
sharon-fdm
as code owners
fleet-release
previously approved these changes
Jun 12, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow that builds the fleetdm/fleet Docker image from the repo’s current tools/fleet-docker/Dockerfile and runs a daily Trivy scan focused on OS-package CVEs (using Fleet’s existing VEX suppressions), with Slack alerting on scheduled failures.
Changes:
- Introduces
.github/workflows/check-vulnerabilities-in-main-docker-image.ymlto run daily at 07:00 UTC (and viaworkflow_dispatch). - Builds a local
fleetdm/fleet:main-scanimage using a placeholderfleetbinary (scan targets OS layers only). - Runs Trivy with
--pkg-types=os, emits JSON + table output, and posts a Slack alert (scheduled runs only) including an extracted CVE list.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAdds a GitHub Actions workflow that builds fleetdm/fleet:main-scan from main, enumerates VEX files to construct Trivy flags, runs Trivy to scan for CRITICAL OS package vulnerabilities (writing JSON and a table), parses and deduplicates CVEs from Trivy JSON on failure, exposes a formatted cve_list, and sends a Slack incoming-webhook notification when a scheduled cron run fails. Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/check-vulnerabilities-in-main-docker-image.yml (1)
49-54: 💤 Low valueConsider simplifying the VEX file enumeration.
The current shell pipeline works but could be more readable.
♻️ Proposed simplification
- name: List fleet VEX files id: generate_fleet_vex_files run: | - VEX_FILES=$(ls -1 ./security/vex/fleet/ | while IFS= read -r line; do echo "./security/vex/fleet/$line"; done | tr '\n' ',' | sed 's/.$//') + VEX_FILES=$(find ./security/vex/fleet/ -type f -printf './security/vex/fleet/%f,' | sed 's/,$//') echo $VEX_FILES echo "FLEET_VEX_FILES=$VEX_FILES" >> $GITHUB_OUTPUTAlternatively, using a simpler approach:
- name: List fleet VEX files id: generate_fleet_vex_files run: | - VEX_FILES=$(ls -1 ./security/vex/fleet/ | while IFS= read -r line; do echo "./security/vex/fleet/$line"; done | tr '\n' ',' | sed 's/.$//') + VEX_FILES=$(ls -1 ./security/vex/fleet/*.vex.json | tr '\n' ',' | sed 's/,$//') echo $VEX_FILES echo "FLEET_VEX_FILES=$VEX_FILES" >> $GITHUB_OUTPUT🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/check-vulnerabilities-in-main-docker-image.yml around lines 49 - 54, Replace the long pipeline that builds VEX_FILES in the step with a simpler glob + printf approach: use the step id generate_fleet_vex_files and variable VEX_FILES to collect files via something like VEX_FILES=$(printf '%s,' ./security/vex/fleet/* | sed 's/,$//') (or use IFS=,; echo ./security/vex/fleet/*) to produce a comma-separated list, then keep the echo "FLEET_VEX_FILES=$VEX_FILES" >> $GITHUB_OUTPUT line to export it.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/check-vulnerabilities-in-main-docker-image.yml:
- Around line 36-39: The workflow pins actions/checkout to an old v3 SHA
(actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9); update the uses
declaration for actions/checkout to the v4 release (e.g., actions/checkout@v4 or
the same v4 SHA used elsewhere such as
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683) by replacing the
current uses value in the Checkout step so this workflow aligns with other
workflows and gets the v4 fixes/improvements.
- Around line 74-81: The Trivy invocation is passing multiple local VEX files as
one comma-separated value to the --vex flag (use the output from
generate_fleet_vex_files.outputs.FLEET_VEX_FILES), but Trivy requires a separate
--vex flag per source; update the trivy command in the workflow so the value of
FLEET_VEX_FILES is expanded into repeated --vex arguments (one --vex per file)
before calling ./trivy image (e.g., build the flags by splitting the
FLEET_VEX_FILES output and prefixing each with "--vex" or iterate over the list
and call trivy with multiple --vex entries) so that --vex is not given a
comma-separated list as a single argument.
---
Nitpick comments:
In @.github/workflows/check-vulnerabilities-in-main-docker-image.yml:
- Around line 49-54: Replace the long pipeline that builds VEX_FILES in the step
with a simpler glob + printf approach: use the step id generate_fleet_vex_files
and variable VEX_FILES to collect files via something like VEX_FILES=$(printf
'%s,' ./security/vex/fleet/* | sed 's/,$//') (or use IFS=,; echo
./security/vex/fleet/*) to produce a comma-separated list, then keep the echo
"FLEET_VEX_FILES=$VEX_FILES" >> $GITHUB_OUTPUT line to export it.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: aff49d54-0927-4845-a129-8092e7fb3eed
📒 Files selected for processing (1)
.github/workflows/check-vulnerabilities-in-main-docker-image.yml
- Bump actions/checkout from v3.5.3 to v4.2.2 (matches the SHA used by the rest of the repo). - Pass VEX files as repeated --vex= flags instead of one comma-separated value. Trivy treats a comma-separated --vex value as a single path, so only the first listed file (or none) was being applied.
fleet-release
previously approved these changes
Jun 12, 2026
Member
Author
|
Addressed CodeRabbit's two actionable findings in d87cbdd:
Skipped the nitpick (line 49-54) on simplifying the The sibling workflow has the same v3 checkout pin and the same comma-separated |
Main workflow (this PR): - Concurrency group keyed on github.ref instead of head_ref||run_id so the scheduled and dispatched runs actually share a group and cancel-in-progress works as the comment claims. - Renamed step "Build fleet docker image from main" to "Build fleet docker image" because workflow_dispatch builds from the dispatched ref, not main. - Hardened the trivy curl: -fsSL plus --retry 3 so an HTTP error fails the step instead of producing a non-tarball body that breaks tar later. Released-images workflow has the same issues; applying the same fixes plus the checkout-v4 and --vex-multiple-flags fixes from the previous commit.
fleet-release
approved these changes
Jun 12, 2026
Member
Author
|
Addressed the Copilot review (4486832152) in 27be42b:
Replicated all the fixes from this PR (checkout v3→v4, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
check-vulnerabilities-in-main-docker-image.yml, a daily Trivy scan that builds thefleetdm/fleetimage from the current main-branchDockerfileand scans it for OS-package CVEs.check-vulnerabilities-in-released-docker-images.yml, which only scans the 5 most-recently shippedfleetdm/fleet:<version>tags. That leaves a 1-3 week window between an Alpine base image bump landing on main and the next minor cut, during which new OS-package CVEs surface only in external scanners (e.g. Aikido). This workflow closes that window.openssl 3.5.6-r0(NVD CVSS 9.1) was disclosed 2026-06-09 and flagged by Aikido against the currentfleetdm/fleetbuild, but the in-repo Trivy daily can't see it becausealpine:3.23.4hasn't shipped in a tagged release yet.Design
tools/fleet-docker/Dockerfilewith a placeholderfleetbinary (the scan only needs OS layers).--pkg-types=os— Go module CVEs in the real binary are already covered by Dependabot, govulncheck, and Aikido SCA; no point duplicating that work here.--severity=CRITICALthreshold and samesecurity/vex/fleet/VEX suppressions as the released-images workflow, so alert volume stays consistent.SLACK_G_ORCHESTRATION_WEBHOOK_URL) and same alert format on failure.Test plan
workflow_dispatchagainst this branch.docker build -f tools/fleet-docker/Dockerfile -t fleetdm/fleet:main-scan tools/fleet-docker/succeeds with the placeholder binary.trivy-results-fleet-main.jsonand a readable table in the job log.workflow_dispatchruns (only scheduled).Summary by CodeRabbit